Jump to content


Flashfake/Flashback Mac OS X botnet confirmed


  • Please log in to reply
10 replies to this topic

#1 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,481 posts

Posted 06 April 2012 - 02:58 PM

If you are a Mac user, be sure to update!

QUOTE
Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.

It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.


Full report:  Flashfake Mac OS X botnet confirmed - Securelist

Related article:  Apple's security code of silence: A big problem | Apple - CNET News


Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#2 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,481 posts

Posted 06 April 2012 - 03:38 PM

Instructions here for Mac users to Update, Disable or Remove Your Java.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#3 ONLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,131 posts

Posted 09 April 2012 - 10:54 AM

  • Java update for OS X patches Flashback malware exploit – CNET:

    QUOTE
    Java for Mac OS X 10.6 Update 7
    Java for OS X Lion 2012-001
    ...
    If you have Java installed, you can check the version in the Java Preferences utility in your /Applications/Utilities/ folder, or you can launch the Terminal and run the command "java -version" to see an output of the current active version on your system.

  • Secure your Mac from Flashback infection – USAToday:

    QUOTE
    Flashback is technically not a trojan-horse application at all, but a "drive-by download" that infects computers by exploiting a vulnerability in Web software.

    That makes it much worse than a trojan: You just need to visit a malicious site, without downloading the wrong app or entering an admin password, to have this program silently take command of your Mac and begin altering the content of Web pages.

    That also sets Flashback apart from all of the other Mac viruses you might have heard about over the last few years. But it wasn't hard to see something like this happening.

    Flashback attacks a known weakness in the Java software Apple has bundled on Macs but often updated slower than other vendors. Apple released a fix last week —"Java for OS X Lion 2012-001" or "Java for Mac OS X 10.6 Update 7" depending on your version of OS X — but it came too late for the estimated 600,000 Macs infected so far.

  • Trojan-Downloader:OSX/Flashback.I – includes HowTo check if you are infected and manual removal instructions

  • Find Out if Your Mac Has the Flashback Trojan — the Fast and Easy Way – Mashable:

    QUOTE
    According to a report Thursday, more than 600,000 Macs could be infected with the nasty Flashback trojan.

    We’ve already detailed how to check your Mac to see if you’re infected — but that requires some command line code, and we know that not all users are comfortable doing that.

    Now we’ve gone one step further and wrapped those commands into two AppleScripts.

  • Quick protection for older Macs from the Flashback trojan - ZDNET:

    QUOTE
    There are reports that some 600K Macs have been infected, perhaps by some estimates 1 percent of the installed base of Macs. As I mentioned in a post last week, Mac OS X Lion and Snow Leopard are running on the majority of Macs. Still, Mac OS X Leopard and Tiger may be running on a quarter of Macs in the world.

    Likely, your machines are not infected. Before I installed the Apple updates, I checked my machines using the Terminal checking routine offered by the F-Secure website. It’s the first part of the Manual Removal process.


Yep, I did the same thing. Checked using F-Secure's steps to determine if you are infected. My Mac was clean but if it had not been, they also helped users manually remove it.

Java can be enabled and disabled as needed fairly easily. One can add the Java preferences from Applications/Utilities/Java Preferences.app. Just unclick the two boxes and turn them back on when needed.

Many think that Java is not needed and maybe in some cases that's true for everyday stuff, however, some banks make use of java applets, many remote sessions are powered by java applets as well, and some programs are based on java applets (one such program is RSSOwl and there are many others). Other than banks, there are still some websites that make use of Java applets as well. One that comes to mind is some of the NOAA and JPL, and other astronomy sites that make use of Java applets.

Sure Java can be abused just as Flash, RealPlayer, Quicktime, Windows Media Player/Flip4Mac, javascripting on webpages, and just about everything else that is an Internet facing program. But you don't see everyone trying to uninstall all of those programs...

I would imagine that many people can enable/disable Java as needed just as I noted above for Mac users.

The biggest problem Mac users had to deal with was Apple's two month +/- delay in getting the updated Java update to Mac users so long after Windows and Linux users already had their updates.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#4 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 11,626 posts

Posted 09 April 2012 - 04:01 PM

that is strange.  perhaps the mac philosophy is to test it to death to ensure it works / is un-hackable.  if so, not a bad philosophy.
Posted Image

#5 ONLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,131 posts

Posted 09 April 2012 - 05:20 PM

I hear ya Temmu, but I find it interesting that Oracle was able to get it done for all versions of Windows, Linux, BSD, Unix and get it done back in February.

IMHO, Apple was dragging their feet at the cost of their users.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#6 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 11,626 posts

Posted 10 April 2012 - 12:08 AM

sad.  sounds like that is the case.
Posted Image

#7 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 13 April 2012 - 03:44 PM

Looks like a Java update is available today to clean the infection.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#8 ONLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,131 posts

Posted 13 April 2012 - 04:09 PM

Apple delivers Flashback malware hunter-killer
Third Java update in 9 days arrives as Apple scrambles to protect Mac users


Quote

Two days after Apple promised to decontaminate Macs infested with the Flashback malware, on Thursday the company delivered.
Yesterday's newest Mac OS X Java update includes a tool that will "remove the most common variants of the Flashback malware," Apple's advisory read.

Thank you Apple!
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#9 ONLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,131 posts

Posted 13 April 2012 - 06:48 PM

Mac Flashback Infections Drop to 270,000: Symantec - eWeek

Quote

The software security firm says the infections are now less than half the 600,000-plus found last week by antivirus software vendors Kaspersky and Dr. Web.

The number of Apple Macs infected with the Flashback malware seems to be shrinking as Internet security software vendors roll out tools to detect and remove the exploit and run “sinkhole” operations to reduce its effectiveness.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#10 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,481 posts

Posted 13 April 2012 - 08:30 PM

Apple released Flashback removal tools:

OS X Lion
Mac OS X 10.6 (Snow Leopard)

Symantec's report on the decline in infections:  OSX.Flashback.K – Suffering a Slashback – Infections Down to 270,000
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#11 ONLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,131 posts

Posted 13 April 2012 - 11:23 PM

Changed the title to include both Flashfake and Flashback so folks will know what is being talked about since Flashback is a more common name for it. Hope you don't mind Corrine.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users